Forum Discussion

TJ_Vreugdenhil's avatar
Jan 05, 2018

Config-sync only certain BIG-IP folders

Hey guys -

We have F5 platforms at each datacenter using a OTV link to extend Layer 2 services.

We would like to be able to synchronize everything in the /Common folder/partition. But create a site specific folder or partition that does not get synchronized. Reading the snippet below, it seems like this is doable using folders. But it is not clear to me how to actually assign a folder to a specific traffic-group, and then to a specific sync-only device group?

Any help on the configuration steps to accomplish this? (BIG-IP 12.1.2)

Folders
A folder is a container for BIG-IP configuration objects. You can use folders to set up synchronization and failover of configuration data in a device group. You can sync all configuration data on a BIG-IP device, or you can sync and fail over objects within a specific folder only.

https://support.f5.com/csp/article/K13946
  • can you try something like this?

    // active
    
    [root@bip1a:Active:In Sync] config  tmsh list sys folder /Common/local
    sys folder local {
        device-group none
        inherited-devicegroup false
        inherited-traffic-group false
        traffic-group traffic-group-local-only
    }
    [root@bip1a:Active:In Sync] config  tmsh create ltm pool /Common/local/localpool_test
    [root@bip1a:Active:In Sync] config  tmsh list ltm pool /Common/local/*
    ltm pool local/localpool_test { }
    [root@bip1a:Active:In Sync] config 
    
    // standby
    
    [root@bip1b:Standby:In Sync] config  tmsh list sys folder /Common/local
    sys folder local {
        device-group none
        inherited-devicegroup false
        inherited-traffic-group false
        traffic-group traffic-group-local-only
    }
    [root@bip1b:Standby:In Sync] config  tmsh list ltm pool /Common/local/*
    01020036:3: The requested Pool (/Common/local/*) was not found.
    [root@bip1b:Standby:In Sync] config 
    

    normally i use sync only device group to sync object among big-ip in different ha pair e.g. fips key across 2 pairs of big-ip.

    • TJ_Vreugdenhil's avatar
      TJ_Vreugdenhil
      Icon for Cirrus rankCirrus

      Thanks Nitass, that is helpful!

       

      So we really have a pair of F5 devices at each datacenter.

       

      So would I have to do something like this?

       

      DC1 device-group 1 sync-failover (DC1-bigip1, DC1-bigip2)

       

      DC2 device-group 2 sync-failover (DC2-bigip3, DC2-bigip4)

       

      device-group 3 sync-only (DC1-bigip1, DC1-bigip2, DC2-bigip3, DC2-bigip4)

       

      device-group 4 (DC1 site local) sync-only DC1-bigip1, DC1-bigip2

       

      device-group 5 (DC2 site local) sync-only (DC2-bigip3, DC2-bigip4)

       

      traffic-group-4 (device-group-4 ) virtual-address 4

       

      traffic-group-2 (device-group 1, device-group 2) virtual-address 1 virtual-address 2

       

      Also, is there an easy way to create the local datacenter's VIP, self IP's, pool, etc inside the "local" folder via the GUI? Or do the configuration objects have to be created or moved using the CLI/TMSH if you want them in a certain folder?

       

      Thanks!

       

    • nitass_89166's avatar
      nitass_89166
      Icon for Noctilucent rankNoctilucent

      DC1

       

      device-group 1

       

      sync-failover (DC1-bigip1, DC1-bigip2)

       

      DC2

       

      device-group 2

       

      sync-failover (DC2-bigip3, DC2-bigip4)

       

      doesn't failover happen inside each dc e.g. bigip1 to bigip2 or vice versa, bigip3 to bigip3 or vice versa? if you want to synchronize some object among all 4 bigip, you can create sync only device group with all 4 bigip as members. whatever object with this sync only device group will be synchronized to all the bigip e.g. certificate, private key.

       

      is there an easy way to create the local datacenter's VIP, self IP's, pool, etc inside the "local" folder via the GUI?

       

      you can use full path when creating object in gui e.g. /Common/local/localpool_test as a pool name.

       

  • can you try something like this?

    // active
    
    [root@bip1a:Active:In Sync] config  tmsh list sys folder /Common/local
    sys folder local {
        device-group none
        inherited-devicegroup false
        inherited-traffic-group false
        traffic-group traffic-group-local-only
    }
    [root@bip1a:Active:In Sync] config  tmsh create ltm pool /Common/local/localpool_test
    [root@bip1a:Active:In Sync] config  tmsh list ltm pool /Common/local/*
    ltm pool local/localpool_test { }
    [root@bip1a:Active:In Sync] config 
    
    // standby
    
    [root@bip1b:Standby:In Sync] config  tmsh list sys folder /Common/local
    sys folder local {
        device-group none
        inherited-devicegroup false
        inherited-traffic-group false
        traffic-group traffic-group-local-only
    }
    [root@bip1b:Standby:In Sync] config  tmsh list ltm pool /Common/local/*
    01020036:3: The requested Pool (/Common/local/*) was not found.
    [root@bip1b:Standby:In Sync] config 
    

    normally i use sync only device group to sync object among big-ip in different ha pair e.g. fips key across 2 pairs of big-ip.

    • Thanks Nitass, that is helpful!

       

      So we really have a pair of F5 devices at each datacenter.

       

      So would I have to do something like this?

       

      DC1 device-group 1 sync-failover (DC1-bigip1, DC1-bigip2)

       

      DC2 device-group 2 sync-failover (DC2-bigip3, DC2-bigip4)

       

      device-group 3 sync-only (DC1-bigip1, DC1-bigip2, DC2-bigip3, DC2-bigip4)

       

      device-group 4 (DC1 site local) sync-only DC1-bigip1, DC1-bigip2

       

      device-group 5 (DC2 site local) sync-only (DC2-bigip3, DC2-bigip4)

       

      traffic-group-4 (device-group-4 ) virtual-address 4

       

      traffic-group-2 (device-group 1, device-group 2) virtual-address 1 virtual-address 2

       

      Also, is there an easy way to create the local datacenter's VIP, self IP's, pool, etc inside the "local" folder via the GUI? Or do the configuration objects have to be created or moved using the CLI/TMSH if you want them in a certain folder?

       

      Thanks!

       

    • nitass's avatar
      nitass
      Icon for Employee rankEmployee

      DC1

       

      device-group 1

       

      sync-failover (DC1-bigip1, DC1-bigip2)

       

      DC2

       

      device-group 2

       

      sync-failover (DC2-bigip3, DC2-bigip4)

       

      doesn't failover happen inside each dc e.g. bigip1 to bigip2 or vice versa, bigip3 to bigip3 or vice versa? if you want to synchronize some object among all 4 bigip, you can create sync only device group with all 4 bigip as members. whatever object with this sync only device group will be synchronized to all the bigip e.g. certificate, private key.

       

      is there an easy way to create the local datacenter's VIP, self IP's, pool, etc inside the "local" folder via the GUI?

       

      you can use full path when creating object in gui e.g. /Common/local/localpool_test as a pool name.

       

    • TJ_Vreugdenhil's avatar
      TJ_Vreugdenhil
      Icon for Cirrus rankCirrus

      Nice find. That was exactly what I was going for. I didn't end up doing it for a client to avoid administration complexity. It's easy to understand if you set it up yourself, but if a new resource came in, they may not know or remember to create objects in the correct folder.

       

    • TJ_Vreugdenhil's avatar
      TJ_Vreugdenhil
      Icon for Cirrus rankCirrus

      Actually, the article is close to what we were going for. But a little different. Either way, it's a good reference.